From the details of the report it looks like you need to know details of the hashcode. Implementation as well as the hash table code, if in fact a hashtable is used. Very unlikely the same exact exploit would work across systems. Also I'm very skeptical ... Even a badly written hashtable shouldn't perform as bad as indicated with only thousands of collisions.... 90 seconds of CPU for a few thousand entries ???
Sent from my iPad (excuse the terseness) David A Lee d...@calldei.com On Jan 3, 2012, at 11:12 AM, Geert Josten <geert.jos...@dayon.nl> wrote: > Ryan, > > Do you recall there was any mentioning of Apache HTTPD by any chance? > > Kind regards, > Geert > > Van: general-boun...@developer.marklogic.com > [mailto:general-boun...@developer.marklogic.com] Namens seme...@hotmail.com > Verzonden: dinsdag 3 januari 2012 16:56 > Aan: general@developer.marklogic.com > Onderwerp: Re: [MarkLogic Dev General] Is MarkLogic susceptible to the hash > collision attack? > > I haven't been able to produce this problem on a MarkLogic instance. My > concerns have been assuaged about it for MarkLogic. > > From: geert.jos...@dayon.nl > Date: Tue, 3 Jan 2012 15:54:47 +0100 > To: general@developer.marklogic.com > Subject: Re: [MarkLogic Dev General] Is MarkLogic susceptible to the hash > collision attack? > > Hi Ryan, > > Have you tried? (at home preferably ;) > > Kind regards, > Geert > > Van: general-boun...@developer.marklogic.com > [mailto:general-boun...@developer.marklogic.com] Namens seme...@hotmail.com > Verzonden: donderdag 29 december 2011 18:16 > Aan: general@developer.marklogic.com > Onderwerp: [MarkLogic Dev General] Is MarkLogic susceptible to the hash > collision attack? > > Quote: > > Researchers have shown how a flaw that is common to most popular Web > programming languages can be used to launch denial-of-service attacks by > exploiting hash tables. Announced publicly on Wednesday at the Chaos > Communication Congress event in Germany, the flaw affects a long list of > technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, > Apache Geronimo, Jetty, and Glassfish, as well as Google's open source > JavaScript engine V8. The vendors and developers behind these technologies > are working to close the vulnerability, with Microsoft warning of "imminent > public release of exploit code" for what is known as a hash collision attack. > > ... > > "Hash tables are a commonly used data structure in most programming > languages," they explained. "Web application servers or platforms commonly > parse attacker-controlled POST form data into hash tables automatically, so > that they can be accessed by application developers. If the language does not > provide a randomized hash function or the application server does not > recognize attacks using multi-collisions, an attacker can degenerate the hash > table by sending lots of colliding keys. The algorithmic complexity of > inserting n elements into the table then goes to O(n**2), making it possible > to exhaust hours of CPU time using a single HTTP request." > > more-> > http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack.ars > > Seems to be a big deal with a lot of servers. Is MarkLogic affected? > > thanks, > Ryan > > _______________________________________________ General mailing list > General@developer.marklogic.com > http://developer.marklogic.com/mailman/listinfo/general > _______________________________________________ > General mailing list > General@developer.marklogic.com > http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________ General mailing list General@developer.marklogic.com http://developer.marklogic.com/mailman/listinfo/general
